Answers with explanations
- Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.
- Answer: D Aisha's primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of the other options, answer D is correct.
- Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password. Learn more here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf.
Reference: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST Special Publication 800-122, McCallister, Grance, Scarfone, Apr 2010.
- Answer: C Gwendolyn's job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.
- Answer: A Usain's next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.
- Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.
- Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu's firm is required to follow specific regulations.
- Answer: D Guidelines are non-mandatory, advisory recommendations. Policies are put together by management and are required to be followed across the organization. Procedures are detailed step-by-step instructions to achieve a given goal or mandate. Standards form metrics to help measure the success of procedures and policies.
- Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.
- Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.
- Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.
- Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.
- Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility.
- Answer: C Nina's next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.
- Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage—for example, the business has to shut down. Learn more here: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management/iii-risk-management/iiia-business-impact-analysis/iiia3-impact-of-disruption.aspx.
- Answer: C The prudent person principle is a standard of care that a reasonably prudent person would follow in certain situations. This principle, borrowed from the law and insurance industries, is also followed in cybersecurity if it is outside a NIST, PCI-DSS, Center for Internet Security (CIS), or another standard. Due care is the effort made to avoid harm to others, such as putting mitigating controls in place. Due diligence is the practice of due care—for example, making sure the mitigating controls work. Measuring negligence helps to determine if an organization acted prudently.
- Answer: A Scoop will use the CAC. This is the best authentication type to combine something-that-you-know authentication with. Since your password, mother's maiden name, and birthday are all something you know, these combined with a PIN would simply be single-factor authentication (SFA).
- Answer: D Randi must always follow the corporate policy. Getting customer feedback is good, and rewarding inside information can be beneficial, but following management policy is always the most important. Transferring Percy exposes the client to the threat of an immediate bad hire; for example, the new hire may get searched by the Federal Bureau of Investigation (FBI).
- Answer: B If Greg provides a written contract, Dito will have a signed document stating what was expected. If the opportunity fell through, Dito could ask for alternatives by enforcing the contract. An NDA states that Dito keeps corporate secrets private. An AUP states Dito will use the product in an acceptable manner. Intellectual property (IP) is works or inventions that have value to an organization.
- Answer: C Yaza needs to consider the GDPR because she wants to sell masks to EU clients, and in order to do that, she must abide by GDPR law. (A key tenet of GDPR is the data subject's right to be forgotten, which is not a part of most other privacy acts). The FTC focuses on US trade and consumer protections. HIPAA affects hospitals and other medical providers. SOX makes corporate fraud a criminal act.
- Answer: A Trevor would consider CSA STAR certification, which demonstrates the cloud service provider's (CSP's) adherence to privacy and security best practices, and the only option that is vendor-neutral. Azure certification is a Microsoft-only standard. AWS is an Amazon-only standard. RH cloud certification is a Red Hat-only standard.
- Answer: A PCI-DSS is a contractual standard between stores and credit card providers. Vendors agree to provide minimal security measures to protect customer PII. Results from poor audits risk the shop owner losing the ability to accept credit cards. Federal and legal standards may include fines and even prison time, but PCI-DSS is a contractual standard. PCI-DSS is not an industry standard, and there is no credit card license. Industry standards are non-contractual agreements—for example, automotive manufacturers deciding to put steering wheels on the right if selling to Japan.
- Answer: D Pat would use an SLA to monitor the effectiveness of the service provider. KRIs, KGIs, and KPIs are part of SLAs.
- Answer: B This is an excellent example of ransomware. Once Tara pays the attacker, there is a good chance she will have access to her data. Ransomware is a type of malware that asks for a ransom payment. This is a type of DoS attack, but DoS attacks are, in general, considered availability attacks over a network. MitM attacks in general are network attacks design to sniff packets.
- Answer: B Karthik was attacked with a sextortion scam. Most of these are fake, and the victim should not send money. Ransomware is distinguished by locking the victim's data. Although this is unwanted email like spam, sextortion demands a monetary threat. Most social engineering attacks come with a degree of spoofing, where the sender pretends to be someone they are not.
- Answer: D Alexis' next best step would be to implement security hardening standards, which includes disabling Telnet and FTP services, installing the latest security updates and patches, and removing default logins and passwords.
- Answer: A Of the four options, the only administrative option is having staff sign the NDA. Zosimo can further layer security with technical controls (for example, DLP and proxy servers) as well as physical controls (for example, security guards).
- Answer: C The key point to this question is on a budget. Dummy cameras are deterrent-type controls that reduce the likelihood of an attack and are very inexpensive. RFID is a detective-type control that is not that expensive but requires a lot of labor expense to add the RFID tags to the books. Security cameras are detective and deterrent control types and are expensive to purchase, install, and monitor. Security guards are an expensive detective type of control as well.
- Answer: D Coop has some of the plain text that goes with the encrypted message, so this is a known plaintext attack.
- Answer: C Guard dogs are detective control types that recognize attacks and other negative activities. PPs, ToS, and signage are all directive control types.
- Answer: B Ysaline is performing risk transference since AXQO Corp will now manage the day-to-day IT functions. Risk mitigation is what happens if she continues to operate as is. Risk avoidance would not work for her because it would mean not having any IT equipment at all to manage. Risk acceptance is the amount of acceptable risk after mitigations are put in place.
- Answer: B AV = $2,000; EF = 50%
SLE = AV * EF = $2,000 * 50% = $1,000
ARO = 5
ALE = SLE * ARO = $1,000 * 5 = $5,000
- Answer: A Quantitative risk analysis takes more time than qualitative risk analysis because participants need all of the data to proceed. This can be time-consuming. Qualitative risk analysis is much quicker because it relies on educated guesses. It is important that the people who understand the areas of risk to their departments are in the room. Likelihood and impact are used in risk analysis to prioritize asset protection.
- Answer: B Security directors advise on security matters, draft security policy, and contribute to the Configuration Management Board. Senior management includes positions such as CEO, CFO, CIO, and so on, and mandates policies, determines strategic goals, and determines which security frameworks to use. Security personnel follow the security processes of the organization. System administrators manage day-to-day IT operations, including helpdesks.
- Answer: D Bianca's next best step is to submit a DCMA takedown request to the DMCA designated agent of the hosting company, with a list of the copyrights and location on the website. Legal action generally follows this step if the copyrighted material is not removed. Legal action is a much longer process, and it will take much longer to have her material removed. Free publicity and watermarking do not help her get her images removed.
- Answer: C A BEC contains characteristics of spear phishing, but the domain name is very similar, and the email appears to be from internal management. Finally, large sums of money are directed outside of the company. Sometimes, funds can be recovered by working with the federal police.
- Answer: A An EAC is when a hacker uses phishing, spear phishing, whaling, password attacks, malware, and so on to compromise a C-level executive's email account for the purpose of tricking targets to send funds.
- Answer: B Updates of firewalls, SpamAssassin, and proxies can help reduce the volume of attacks, but none of these systems is perfect. Continuous training programs via live training, videos, podcasts, and so on are the best way to safeguard the organization.
- Answer: A The RPO represents the acceptable amount of data loss in time— for example, snapshots might be taken every 15 minutes, so 15 minutes is the RPO. The RTO is the period to bring all systems back online after a disaster. WRT is the time needed to verify systems and data integrity. MTD is the maximum amount of downtime before going out of business and is generally the sum of WRT and RTO.
- Answer: D BIA includes prioritization of risks based on impact, likelihood, and exposure. Risk analysis can be qualitative or quantitative. BIA is part of BCP, which defines how to continue business operations after a disaster. DRP details how to recover business operations after a disaster. IRPs are executed when legal authorities must be involved—for example, when PII or financial records are stolen over the internet.
Reference: Contingency Planning Guide for Federal Information Systems, NIST Special Publication 800-34 Revision 1, Swanson et al., May 2010.
- Answer: C Dumpster diving, phishing, baiting, and piggybacking are all non-high-technical methods to engage the victim. MitM attacks use high-tech tools to download conversations of the victim. DoS is a network attack where data floods the device. Doxxing is searching and publishing private information about individuals.
- Answer: B Mandatory vacations are designed to expose any fraud that might be occurring. If Coco is involved in fraud, she needs to be at work to be monitored for fraudulent activity. Healthy worker vacations are planned and expected. Phishing email issues are better resolved with training than with vacation. Staff need to be on-site for DR simulations so that they know their part in a disaster.
- Answer: C Risk is the product of vulnerability and a possible threat.
- Answer: D Cold sites are empty rooms and designed for low-priority data that can take several weeks or months for recovery. Warm sites have some computer equipment but no current backup tapes. Hot sites have recent backups for fast recovery within minutes to hours. Mirrored sites have the most current information in case of failure.
- Answer: A Although D might be true, the strategy is called DiD, or a layered approach.
- Answer: A Preventative functionality implements incident avoidance—for example, locks or mantraps. Detective functionality detects or alerts an incident—for example, motion detectors and job rotations. Deterrents diminish threats by reducing the confidence of the intruder—for example, fences and fake cameras. Recovery brings organizations back to normal operations.
- Answer: C The CSO is an advisor to the organization, seeking ways to implement operations and enable business functions within an acceptable risk level. Option A is wrong because there is no such thing as zero risks, and B is wrong because CMOs are not in charge of security.
- Answer: D SP 800-53 is the Security and Privacy Controls for Federal Information Systems and Organizations document. The document outlines various administrative, technical, and physical security controls to protect organizations.
- Answer: B Script kiddies are in general non-sophisticated and new to hacking. APTs generally work as a group, carefully study the target, and are patient enough to wait for the right time to exploit a vulnerability. Ethical hackers are generally paid to attack organizations to find vulnerabilities but do not harm. Bud could almost be an internal threat since he is a student at the school, but he does not work for the school.
- Answer: B The Wassenaar Arrangement applies export controls and rules for computers, electronics, encryption, and more.
- Answer: D Criminal law is invoked when a person violates governmental laws, whereas civil law depends on the preponderance of the evidence. Administrative law is handled internally within organizations, similarly to internal affairs for police. Contract law is handled between the parties of a working agreement and can be disputed in court or through a mediator.
- Answer: A Copyrights and software patents require the algorithm to be published, making it easy for a competitor to reverse-engineer. Trademarks are used to protect an organization's logo or brand.
- Answer: C Shareware, commercial, and academic licenses come with a EULA, which states how software can be used. Linux's EULA is a call to the GNU General Public License (GNU GPL), giving freedom to users to distribute software as long as they give credit to the authors.
- Answer: A The Digital Millennium Copyright Act helps to reduce software piracy by criminalizing the dissemination of stolen software. The EULA limits what users can do with software they purchase—for example, only allow 10 users. The BSA promotes the enforcement of software copyrights. The Privacy Act helps to protect user PII.
- Answer: B Fritz is working with procedures because they provide explicit directions on performing specific operations. Policies are documents with concepts developed by management and must be followed. Guidelines are strong recommendations from management but do not have to be followed. Standards are metrics and are meant for use as a type of scoring system.
- Answer: B Naomi will need support costs, maintenance costs, and asset costs to calculate the TCO, but not replacement costs.
- Answer: C Viktor needs the exposure factor, which defines the percentage of loss of an asset if a threat is realized. Safeguards add controls to mitigate risks, such as locks or firewalls. Vulnerabilities are weaknesses or flaws in a system, and risk is the probability of an attack or negative event.
- Answer: A Management controls develop policies. Logical and technical controls support technology such as firewalls, switches, and so on. Operational and physical controls support day-to-day activities such as security guards, grounds security, and so on.
- Answer: C Guidelines are informal recommendations that do not have to be followed. Policies are generated by management and are mandatory. Procedures are step-by-step instructions, and standards detail metrics that should be met.
- Answer: B Since Kei's team has decided not to locate their business in a dangerous area, they are avoiding the risk. Mitigation would be building the business and then adding 8-foot (ft)-tall barbed wire fences around the building. When they purchase insurance on the building, they will be transferring that risk to the insurance company. Any leftover risk, they will accept.
- Answer: B The security life cycle for products and software starts with idea planning, then putting together the requirements, designing an item based on the requirements, and then developing the item based on the design. Testing ensures that the item functions correctly. Now that the item has passed testing, it can be moved into production. Once the item reaches the end of life (EOL), it is disposed of securely.
- Answer: A PCI-DSS requires firewalls, encryption, antivirus software, physical restrictions, regular testing, and more to protect cardholder data.
- Answer: C The REP signed by employees waives their privacy rights at the organization. Employee monitoring has to be work-related—that is, only work-related conversations can be monitored, not personal conversations. Monitoring must also be consistent (all staff, not just Vania).
- Answer: D PHI is details about an individual's medical records. HIPAA makes healthcare providers use due care for patients' PHI. HITECH states that if healthcare providers properly protect PHI, they do not have to report breaches to HHS.
- Answer: B Credit card issues are managed under PCI-DSS merchant contract agreements. RMS Foods may launch an internal investigation to fire and file criminal charges for the staff that conducted the theft, but the CEO does not face criminal charges for such incidents. NIST, ISO, and GDPR do not direct credit card merchant agreements.
- Answer: A Boris is transferring the risk when asking for assistance from a contractor or other third party. The relationship with the contractor will be finalized with a working agreement. Risk acceptance is when Boris accepts the risk of the project not being completed on time. Risk division is not a proper risk response. Risk avoidance is if Boris decided not to continue with the project.
- Answer: B Trade-secret lawyers help their clients protect trade secrets with licensing agreements, NDAs, and NCAs. Unlike patents, copyrights, and trademarks, trade secrets are not registered with governments.
- Answer: C Since Bjorn heard evidence of the threat through a third party, this is considered hearsay and is normally inconclusive and inadmissible in court. The best evidence rule holds that an original document is the best evidence, not a copy, assuming the original is accessible.
- Answer: A Auditors make sure security policies are followed. Audit reports go to senior management. The CISO sets policy and assigns responsibilities. Managers generally design and implement policy. Data owners make certain security classification levels are properly set.
- Answer: D A SIEM system and an IDS can collect plenty of records regarding an incident, but these can be compromised. Evidence handling is also very important in the case of court prosecution or insurance investigations, but the policy is the most important because it explains how the teams should respond to an incident and which procedures should be followed.
- Answer: D With the checklist test, groups review checklists on their own and follow up with changes later. A tabletop test is a walkthrough where no live changes are made to any systems. A parallel test interrupts the DR environment, but primary systems remain untouched. A full interruption interrupts the primary site to test the backup site. A full interruption event can cause a real disaster event but is the most thorough test.
- Answer: B Since Simona is in the military, she will use top-secret, secret, confidential, and unclassified. Most corporate environments use confidential, private, sensitive, and public. Classified is generally considered any data that is not unclassified, including top-secret or secret.
- Answer: C In this case, Andre is the data subject, or who the data is about. A data owner is a party liable for the protection of the data—in this case, Pyramid Grocer. A data custodian is responsible for protecting the data—for example, Azure or Amazon Cloud. A data auditor verifies that security policies are being followed on any PII.
- Answer: D An NDA is the only administrative control listed here. Security guards and fencing help prevent data leaks but are physical controls. A DLP mitigates data leaks, but this is a technical control.
- Answer: A Fuzz-testing applications load tons of random input into fields—for example, the name, address, phone number, and so on. Input validation mitigates fuzz testing, throwing away invalid input. Malware is software installed on a system to harm functionality. DoS is an attack on the network or memory to make a system unusable.
- Answer: C Privilege creep occurs as individuals move from department to department and administrators neglect to remove their old privileges. Least privilege occurs when privileges are removed, leaving the user with the least privileges needed to do their jobs. Collusion is when two or more people work together and commit fraud against an organization, mitigating SoD.
- Answer: B Usernames are for identification purposes only, combined with a password for authentication. A retinal scanner, palm vein scanner, and a CAC are used for both identification and authentication.
- Answer: B Billie performs risk mitigation to take proper steps before negative events occur. A risk assessment identifies potential events and prioritization of assets. Risk acceptance is risk allowed after mitigations are in place. Risk avoidance is deciding not to take on an activity or purchase an asset.
- Answer: D An AUP states practice users must agree to access the organization's network or internet. For best security, all users must accept the AUP.
- Answer: B Alpha and beta services are for testing new customer features that users might enjoy, but could go away if enough users don't like them. Financial credits, covered services, and SLOs are all part of SLAs.
- Answer: C Non-repudiation is a method whereby the sender of an email cannot dispute their authorship. Hashing and encryption are used as part of this process but alone are not non-repudiation. A fingerprint might help on a physical document, depending on the process.
- Answer: B Everyone within an organization needs security education. Threats such as malware come through computers, and anyone can leave a door open that allows an attacker to enter the building.
- Answer: C The employment candidate-screening process or policy includes conducting background checks, drug screenings, lie-detector screening, interviewing of neighbors, fingerprinting, and so on, depending on the job.
- Answer: B NCAs are legal agreements, but in most cases are unenforceable because workers need to earn an income on what they have been trained in.
- Answer: A HR understands the policies best for proper provisioning and deprovisioning of staff, and can handle it with the lowest risk of litigation. Other departments may be involved to provide data for the termination, but HR is in charge.
- Answer: A Since Daniil worked the last week, he does not have to return the paycheck. All of the other items are corporate-owned and must be returned.
- Answer: A Sunk costs are expenditures that cannot be recovered. An item the organization has purchased—for example, a computer—is an asset, but not an expense. Trademarks and other intellectual property are also assets, even though they are intangible. Staff are also assets.
- Answer: C Risk is the likelihood a threat will exploit a vulnerability and cause harm to some asset. Safeguards protect assets from threats. Exposure is the degree of asset loss endangerment due to threats. A breach occurs when security has been compromised.
- Answer: D The biggest threat to organizations is internal threats that develop from disgruntled employees. All of the others are threats and can cause a lot of damage and expensive recoveries, but because internal threats have white-box knowledge of the organization, they are the biggest threat.
- Answer: D Do not use firms that bring risk to zero because they are working with firms that do no business, as there is no such thing as zero risks. Risk assessment and analysis involve determining scope, categorizing assets, and bringing risks to acceptable levels.
- Answer: B The following values get used in quantitative risk analysis. SLE = AV * EF. The ARO is the frequency a risk occurs in a year. The ALE = the ARO * SLE.
- Answer: A Qualitative risk analysis depends less on hard calculations such as quantitative risk, and more on rankings and judgment.
- Answer: C The NIST SP 800-37 provides guidance on using the RMF for federal systems. The steps include categorizing the asset, selecting controls, implementing controls, assessing controls, authorizing assets, and monitoring controls.
- Answer: A Once risk reaches an acceptable level, no other mitigations need to be applied.
- Answer: D According to Thycotic Engineering, the remembering and changing of passwords is the number 1 source of cyber fatigue. To ease this fatigue, implement 2FA, autofill, and simpler password rules. Learn more here: https://www.cisco.com/c/en/us/products/security/ciso-benchmark-report-2020.html.
- Answer: D Although all of the others are true, working around the central IT department is referred to as shadow IT.
- Answer: C A zero trust architecture (ZTA) trusts no one, verifying inside and outside traffic before connecting to the network or any of the systems.
- Answer: B Education leads to some type of a degree such as a Bachelor or Master. Training is target-focused on specific knowledge or a specific job. Awareness is a minimal understanding of security issues. BOAF sessions generally occur at conferences where people with similar backgrounds exchange knowledge and ideas.
- Answer: A The military is one exception where secret data could be more important than people. Others might argue the Star Trek defense, where the many (lives) outweigh the few.
- Answer: D A DRP is only executed if at first, the BCP fails. Checking the fuse box or contacting the electric company might be the first steps of the BCP, but always follow the plan first.
